- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- compare two field values for equality
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the output of a firewall config, i want to make sure that our naming standard is consistent with the actual function of the network object.
I have a table of the name of the object and the subnet and mask. I want to compare the name and name-combo fields to see if they are the same, and show only those that are not the same.
example row
cluster name name-combo subnet bits match
1 FW1-2 NET69.90.64.0-20 NET69.90.64.0-20 69.90.64.0 20 No Match
2 FW1-2 NET69.90.63.0-8 NET69.90.63.0-20 69.90.64.0 20 No Match
here is my search
`abc_firewall_rules` eventtype=subnet [search index="abc_rules" eventtype=subnet | dedup cluster | fields + source]
| dedup name,cluster | eval name-combo="NET".subnet."-".bits
| eval match=if(name-combo=name,"Match","No Match")
| table cluster,name,name-combo,subnet,bits,match
row 1 should show match and row 2 should show no match..
have tried using | where NOT name=name-combo
have tried using | where name!=name-combo
all show ro results found but in my sample data there are rows that do not match and should show up..
any ideas ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I have it figured out - it's a weird one! Field names are supposed to contain letters, numerals or the underscore, and must start with a letter. name-combo violates this rule, but Splunk doesn't complain! The reason why it doesn't work is that in the if statement, Splunk interprets your test as `name - combo = name" - this will never match...
So change name-combo to name_combo and it should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have a similar problem. I apply a filter after stats:
stats dc(field1) as someCount dc(someThing) as otherCount by group | search NOT someCount=otherCount
The above search returns all values, regardless of whether they match or not, so assuming its checking where someCount matches a literal of "otherCount". This works:
... | eval countDiff=someCount-otherCount | search NOT countDiff=0
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually Brett, your problem is different.
| search NOT someCount=otherCount
is interpreted as
| search NOT someCount="otherCount"
search always searches for name=value, whether you use the quotes around the value or not. You could make the first search work by using where instead:
... | stats dc(field1) as someCount dc(someThing) as otherCount by group
| where NOT someCount=otherCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what if 1 field with string "A" is the substring of flied "B"?
|where B=*A* ,
how can we find out that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @payal4296,
Please try below; checking if field A is a substring of field B...
| eval A="%".A."%"
| where B like A
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I have it figured out - it's a weird one! Field names are supposed to contain letters, numerals or the underscore, and must start with a letter. name-combo violates this rule, but Splunk doesn't complain! The reason why it doesn't work is that in the if statement, Splunk interprets your test as `name - combo = name" - this will never match...
So change name-combo to name_combo and it should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well getting somewhere now..
appears that my field name-combo is not a string (thanks for your test command).
so i tried to convert the field to string with
eval name-combo=tostring(name-combo)
however not able to get a "string" output from that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your search is working properly, you should have output, regardless of whether things match or not. Does this search return any results? What does the search job inspector say?
`abc_firewall_rules` eventtype=subnet [search index="abc_rules" eventtype=subnet | dedup cluster | fields + source]
I am guessing that this is a problem with your search, not your logic.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the search is fine, i get results from that search, the problem appears to be the concat string isnt coming out as a string to compare with
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I usually do some checks on my fields when this happens using eval to makes sure that i'm comparing what I expect. This should be comparing string to string but make the types are ok "eval test = if( isstr(name)", "String", "Not String" } table test)". Everything looks good as far as i can tell.
Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
Incident Response: Reduce Incident Recurrence with Automated Ticket Creation
